Bug 1101079

Summary:	lircd prevented open on /dev/ttyS0
Product:	[Fedora] Fedora	Reporter:	brian
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	20	CC:	dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.12.1-177.fc20	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-07-19 05:59:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description brian 2014-05-26 05:37:17 UTC

Description of problem:
Tried to configure lircd for use with mythtv using irman driver, reading input from /dev/ttyS0.  SELINUX prevented.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-166.fc20.noarch
selinux-policy-3.12.1-166.fc20.noarch
lirc-0.9.0-21.fc20.x86_64
lirc-libs-0.9.0-21.fc20.x86_64

How reproducible:
Always,

Steps to Reproduce:
1.  Contents of /etc/sysconfig/lircd:
cat /etc/sysconfig/lirc 
# Note: in addition to these parameters, you need to have working    -*- sh -*-
# configuration file for lircd (and lircmd if enabled).

# Options to lircd(8).  Typically, this will be empty, as which driver to use
# should be specified using the LIRC_DRIVER variable below.
LIRCD_OPTIONS=""

# The infrared receiver (and/or transmitter) driver to be used by lircd(8),
# similar to passing "-H driver" to lircd(8).
# Run "/usr/sbin/lircd -H help" to get a listing of supported drivers.
#LIRC_DRIVER="default"
LIRC_DRIVER="irman"

# Which lirc device will be used by lircd(8).
# This is the same as passing "-d device" to lircd. It must be set.
LIRC_DEVICE="/dev/ttyS0"

# Options to lircmd(8). lircmd always runs with --nodaemon added
# to LIRCMD_OPTIONS.
LIRCMD_OPTIONS=""

# The infrared device used by lirc, if any. If this is set, lircd will
# enable the lirc protocol and disable kernel built-in handling using
# "echo lirc > /sys/class/rc/$LIRCD_IR_DEVICE/protocols" at startup.
# If unset, this is ignored.
# - The common case when there is just one ir device: LIRCD_IR_DEVICE="rc0".
# - Non-IR devices e. g., RF ones typically don't need this set.
# - If not set when required, the typical symptom is duobled key-presses.
# - If installing the lirc-disable-kernel-rc subpackage this setting is not
#   needed.
LIRCD_IR_DEVICE=""

2.  systemctl start lircd
3.

Actual results:
contents of /var/log/audit/audit.log:
type=AVC msg=audit(1401075440.018:2266): avc:  denied  { read write } for  pid=1076 comm="lircd" name="ttyS0" dev="devtmpfs" ino=8651 scontext=system_u:system_r:lircd_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file



Expected results:
Able to read data from ttyS0

Additional info:
Following /var/log/message suggestion:
cat mypol.te 

module mypol 1.0;

require {
        type unlabeled_t;
        type tty_device_t;
        type lircd_t;
        class chr_file { write ioctl read lock open };
}

#============= lircd_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow lircd_t tty_device_t:chr_file { read write ioctl open lock };
allow lircd_t unlabeled_t:chr_file ioctl;

Fixed the problem.

Comment 1 Daniel Walsh 2014-05-26 10:58:26 UTC

4002d3015d0dcb1848bee99c9a1b8928a29d50c5 fixes this in git.

Comment 2 Fedora Update System 2014-06-09 20:09:12 UTC

selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20

Comment 3 Fedora Update System 2014-06-11 16:25:20 UTC

Package selinux-policy-3.12.1-167.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-06-19 13:18:43 UTC

selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20

Comment 5 Fedora Update System 2014-06-19 22:52:56 UTC

Package selinux-policy-3.12.1-171.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-06-26 01:53:35 UTC

selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 brian 2014-06-27 02:53:08 UTC

Since the 171 policy was pushed, I attempted to test it by
semodule --remove mypol

where mypol.te contained:
cat mypol.te 

module mypol 1.0;

require {
        type unlabeled_t;
        type tty_device_t;
        type lircd_t;
        class chr_file { write ioctl read lock open };
}

#============= lircd_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow lircd_t tty_device_t:chr_file { read write ioctl open lock };
allow lircd_t unlabeled_t:chr_file ioctl;


Then yum update where it installed 171.  Rebooting,  lircd failed to connect to /dev/ttyS0, the following error was in /var/log/messages:
Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: accepted new client on /var/run/lirc/lircd
Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: could not open /dev/ttyS0
Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: irman_init(): Permission denied
Jun 26 21:32:00 whisper lircd-0.9.0[744]: accepted new client on /var/run/lirc/lircd
Jun 26 21:32:00 whisper lircd-0.9.0[744]: could not open /dev/ttyS0
Jun 26 21:32:00 whisper lircd-0.9.0[744]: irman_init(): Permission denied
Jun 26 21:32:00 whisper lircd-0.9.0[744]: Failed to initialize hardware
Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: Failed to initialize hardware



There wasn't a message about the failure in /var/log/audit/audit.log or a setroubleshoot message in messages.

Reinstalled mypol.pp, reboot, and it worked correctly again.

Comment 8 Fedora Update System 2014-07-02 12:40:03 UTC

selinux-policy-3.12.1-176.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-176.fc20

Comment 9 Fedora Update System 2014-07-03 04:09:02 UTC

Package selinux-policy-3.12.1-176.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-176.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8029/selinux-policy-3.12.1-176.fc20
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2014-07-04 00:30:54 UTC

selinux-policy-3.12.1-176.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 brian 2014-07-08 01:19:15 UTC

After upgrading to policy 176, no change.  lircd still cannot access /dev/ttyS0 without the mypol file above.

Jul  7 20:06:32 whisper sh: lircd-0.9.0[755]: accepted new client on /var/run/lirc/lircd
Jul  7 20:06:32 whisper sh: lircd-0.9.0[755]: could not open /dev/ttyS0
Jul  7 20:06:32 whisper sh: lircd-0.9.0[755]: irman_init(): Permission denied
Jul  7 20:06:32 whisper sh: lircd-0.9.0[755]: Failed to initialize hardware
Jul  7 20:06:32 whisper lircd-0.9.0[755]: accepted new client on /var/run/lirc/lircd
Jul  7 20:06:32 whisper lircd-0.9.0[755]: could not open /dev/ttyS0
Jul  7 20:06:32 whisper lircd-0.9.0[755]: irman_init(): Permission denied
Jul  7 20:06:32 whisper lircd-0.9.0[755]: Failed to initialize hardware


Once I reloaded the mypol it and reboot, it works fine.
rpm -qa|grep selinux-policy
selinux-policy-3.12.1-176.fc20.noarch
selinux-policy-targeted-3.12.1-176.fc20.noarch

Comment 12 Lukas Vrabec 2014-07-08 08:25:12 UTC

commit 2e83809e4c474d6b9b8c156c77dd70657c907c7b
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 8 10:23:10 2014 +0200

    Allow lircd_t to use tty_device_t for use withmythtv

Comment 13 Fedora Update System 2014-07-15 09:42:26 UTC

selinux-policy-3.12.1-177.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-177.fc20

Comment 14 Fedora Update System 2014-07-17 04:28:51 UTC

Package selinux-policy-3.12.1-177.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-177.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8390/selinux-policy-3.12.1-177.fc20
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2014-07-19 05:59:47 UTC

selinux-policy-3.12.1-177.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 brian 2014-07-24 02:37:25 UTC

Policy 177 works fine now for Mythtv and lircd.

Thanks